Date: Thu, 8 Nov 2001 10:18:07 -0500 From: Kutulu <kutulu@kutulu.org> To: Anthony Atkielski <anthony@atkielski.com> Cc: Giorgos Keramidas <charon@labs.gr>, freebsd-questions@FreeBSD.ORG Subject: Re: Re[2]: Tiny starter configuration for FreeBSD Message-ID: <20011108101807.A10218@pr0n.kutulu.org> In-Reply-To: <002501c1682b$a542b7a0$0a00000a@atkielski.com>; from anthony@atkielski.com on Thu, Nov 08, 2001 at 09:01:54AM %2B0100 References: <15330.6606.417524.41024@guru.mired.org> <002b01c1635f$5a5f4300$0a00000a@atkielski.com> <20011108022328.F79276@hades.hell.gr> <002501c1682b$a542b7a0$0a00000a@atkielski.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 08, 2001 at 09:01:54AM +0100, Anthony Atkielski wrote:
> Currently I have telnetd turned off, and only sshd is running. I also have all
> incoming telnet and ssh traffic blocked at the router, and I only log in from my
> tiny LAN. So I should be safe logging in directly as root, although I might
> reconsider if I ever need to log into the system from a remote location.
If you only allow your root logins via a DSA public key (in sshd_config,
set PermitRootLogins = without-password), there's a very good argument that
you will be just as secure logging is as root, as you would be logging in as
a user and using 'su'. That is, if a malicious person is able to crack your DSA
keys and pretend to be you, he/she can probably also locate the root password
in the encrypted stream immediately following 'su', and decrypt it.
> ----- Original Message -----
> From: "Giorgos Keramidas" <charon@labs.gr>
> To: "Anthony Atkielski" <anthony@atkielski.com>
> Cc: <freebsd-questions@FreeBSD.ORG>
> Sent: Thursday, November 08, 2001 01:23
> Subject: Re: Re[2]: Tiny starter configuration for FreeBSD
>
>
> > > For example, one change I made to my system was to allow root logins
> > > from remote terminals. I'd prefer to limit remote logins to root to
> > > my other machine, which is on the LAN, but I'm not aware of an
> > > option to force that, so I had to open root logins to the world.
Again... set up root to permit logins only through SSH, only with a DSA key.
Then, in /root/.ssh/authorized_keys2, you can limit specific keys to only
being valid coming from certain hosts:
from="pattern-list"
Specifies that in addition to RSA authentication, the canonical
name of the remote host must be present in the comma-separated
list of patterns (`*' and `?' serve as wildcards).
(DSA keys and RSA keys are stored in the same file format, so the same options
apply to both.)
--K
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011108101807.A10218>